Re: [squid-users] Squid squid3-3.0.STABLE10-2.11, IE7/IE8, Microsoft Applications

From: Walter Cuestas <wcuestas_at_open-sec.com>
Date: Thu, 1 Oct 2009 16:02:23 -0500

Thanks for the reply.

The wrong behavior appears no matters if IE or Firefox are the default
browser as long as the user works with a MS application.

We have checked proxy configuration in MS Windows Media Player and
it's ok (but keeps asking for username and password) and proxycfg
reports a right configuration. MS Office has no way to configure it,
so, it uses IE configuration.

Also, we have tried upgrading and downgrading Squid, but, the thing is
that in some circumstances, MS apps, doesn't use IE proxy
configuration but this isn't happen whith others like OpenOffice.

Also, there is no other IP in the log because we are using
Dansguardian, but, we have tested just working with Squid and it's the
same behavior.

Next is better log extract :

127.0.0.1 - - [01/Oct/2009:15:49:53 -0500] "GET
http://www.microsoft.com/isapi/redir.dll? HTTP/1.0" 407 1901
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:55 -0500] "GET
http://www.microsoft.com/isapi/redir.dll? HTTP/1.0" 302 784
TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:49:55 -0500] "GET
http://go.microsoft.com/fwlink/? HTTP/1.0" 302 655 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:49:56 -0500] "GET
http://latam.msn.com/? HTTP/1.0" 200 15908 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:49:56 -0500] "GET
http://rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1434
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:56 -0500] "GET
http://a.rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1438
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:56 -0500] "GET
http://b.rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1438
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:56 -0500] "GET
http://c.msn.com/c.gif? HTTP/1.0" 200 599 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:49:57 -0500] "GET
http://rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1434
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:57 -0500] "GET
http://msnportal.112.2o7.net/b/ss/msnportallatamhome/1/H.1-pdv-2/s05276950994648?
HTTP/1.0" 200 685 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:49:57 -0500] "GET
http://a.rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1438
TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:49:58 -0500] "GET
http://latam.msn.com/ajax/horoscope.aspx? HTTP/1.0" 200 2988
TCP_MISS:DIRECT
127.0.0.1 - - [01/Oct/2009:15:50:35 -0500] "GET
http://www.google.com.pe/ HTTP/1.0" 407 1853 TCP_DENIED:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:42 -0500] "GET
http://www.google.com.pe/ HTTP/1.0" 200 4746 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/ HTTP/1.0" 200 4379 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/images/close_sm.gif HTTP/1.0" 200 627
TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/images/chrome_48.gif HTTP/1.0" 200 3003
TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/intl/en_com/images/logo_plain.png HTTP/1.0"
200 8045 TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/images/modules/buttons/g-button-chocobo-basic-2.gif
HTTP/1.0" 200 865 TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/images/modules/buttons/g-button-chocobo-basic-1.gif
HTTP/1.0" 200 9540 TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/favicon.ico HTTP/1.0" 200 1706 TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:43 -0500] "GET
http://www.google.com.pe/images/nav_logo7.png HTTP/1.0" 200 5978
TCP_HIT:NONE
127.0.0.1 - smedina [01/Oct/2009:15:50:44 -0500] "GET
http://www.google.com.pe/extern_js/f/CgJlcxICcGUrMAo4NiwrMA44BywrMBY4ECwrMBc4AywrMBg4BCwrMCU4yYgBLCswJjgFLCswJzgCLA/3__u7Qm5Gk4.js
HTTP/1.0" 200 6295 TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:50:44 -0500] "GET
http://clients1.google.com.pe/generate_204 HTTP/1.0" 204 330
TCP_MISS:DIRECT
127.0.0.1 - smedina [01/Oct/2009:15:50:44 -0500] "GET
http://www.google.com.pe/csi? HTTP/1.0" 204 421 TCP_MISS:DIRECT

Thanks again!

---
Walter Cuestas Agramonte,
Certified | Ethical Hacker (C|EH)
SANS/GIAC Certified Penetration Tester (GPEN)
Gerente General
Phone : 511-997926168
Ethical Hacking/Forensics/InfoSec
http://www.open-sec.com
http://ehopen-sec.blogspot.com/
On Wed, Sep 30, 2009 at 10:04 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Wed, 30 Sep 2009 21:05:07 -0500, Walter Cuestas <wcuestas_at_open-sec.com>
> wrote:
>> Hi, in short :
>>
>> Every time a user click on a link in a MS Office document or select some
>> Internet related app (like MS Windows Media Player), the user if forced
> to
>> re-authenticate (a popup window appears).
>>
>> We have tested using Firefox instead IE7/IE8 and happens the same, but,
> if
>> we use OpenOffice.org and Firefox in the same machines, no
>> re-authentication is required. �So, it seems this is a MS related problem
>> with Squid. �(Time and resource usage related stuff has been tested and
>> are not the source of this problem).
>
>
> Yes. New internet links by new software not already knowing the login tends
> to do this.
>
> Clicking on links within firefox is no different to opening IE and clicking
> links inside the pages themselves.
> OpenOffice I dare say makes firefox or IE open the page, yes? which would
> make the browser work with the proxy as it would for any other web page
> using credentials it has previously been given for the proxy.
>
> MS software tends to link individually to the web engine software built
> into windows. So each app (Media Player, IE, MSN, Live Messenger, Office,
> etc) has effectively its own different web browser. With their own settings
> etc.
>
> You might be able to get around some of this by ensuring that the MS
> software all use the same proxy settings.
> ( to do that set the IE internet options correctly then run the command
> line "proxycfg -u" ) but that will not help unless you can enter the user
> credentials into every piece of browser software on the computer as well.
> Or use some form of single-sign-on.
>
> Personally I dislike this model of embedding, but I applaud MS for at least
> keeping the private settings separate by default.
>
>>
>> The authentication uses the basic one (not NTLM) and goes to an Active
>> Directory.
>>
>> Any clue about it will help us a lot!
>
> Please upgrade to a recent STABLE release as soon as possible. �*10 was
> officially withdrawn for serious usability issues. There are also major
> security issues as far up as *18. I hope the 2.1 part of your version
> numbering means those at least have been patched.
>
>>
>> Thanks in advance.
>>
>> PD: Some extract from access.log :
>
> An extract which does not include the successful requests ( *_MISS and
> *_HIT) would be easier to read...
>
> Cropping it down shows only two there.
> * One is a outright forbidden (403)
> * The other is missing authentication credentials (407).
> * all requests are logged from 127.0.0.1 which prevents any track of
> whether the auth was retried later.
>
>
>
>> 127.0.0.1 - smedina [30/Sep/2009:16:40:39 -0500] "GET
>> http://rad.msn.com/ADSAdClient31.dll? HTTP/1.0" 403 1522 TCP_DENIED:NONE
>
>> 127.0.0.1 - - [30/Sep/2009:16:40:46 -0500] "GET
>> http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl HTTP/1.0" 407
>> 2039 TCP_DENIED:NONE
>
> There is little more we can say with the given details. The fact that
> Firefox has no issues indicates it's not a Squid problem.
>
> Amos
>
>
Received on Thu Oct 01 2009 - 21:02:53 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 02 2009 - 12:00:02 MDT